Ref: https://learn.cantrill.io/courses/2022818/lectures/45637093

YouTube: https://www.youtube.com/watch?v=4qlIim15xwM

• Summary:
• Contents:

ZSK and RRSIG records

• 🔧 Every DNS zone has a Zone Signing Key (ZSK) pair
  • Private ZSK: kept safe (offline)
    • used to sign RRSETs in the zone
  • Public ZSK: kept inside the zone's DNSKEY record
    • accessible by DNSSEC clients to verify validity of signed RRSETs
• ‼️ DNSSEC validates whole RRSETs (not individual records)!
  • The zone signs every RRSET using its private ZSK
  • RRSET signatures stored in Resource Record Signature (RRSIG) records inside the zone
  • ❗ If an RRSET changes, its RRSIG needs to be regenerated with the private ZSK
    • otherwise, DNSSEC tells clients that the RRSET is not valid

• When querying a zone's records:
  • DNS-only clients receive the requested RRSET
  • DNSSEC clients receive the requested RRSET and its associated RRSIG
    • ❗ clients can use public ZSK to verify RRSIG and its corresponding RRSET are valid
    • Data integrity protection → infrastructure is robust vs DNS cache poisoning

DNSKEY records and KSK

• If the ZSK is used to sign all records in the zone, how do we trust the ZSK?
  • ❗ There is a RRSET in the zone (the DNSKEY RRSET) that is signed by a different key!

• 🔧 Every DNS zone has a Key Signing Key (KSK) pair

  • Private KSK: kept safe (offline)
    • used to sign the DNSKEY record of the zone
  • Public KSK: kept inside the zone's DNSKEY record
    • accessible by DNSSEC clients to verify validity of DNSKEY’s RRSIG
    • ❗ trusted by the parent zone (a hash of it is stored in the parent zone's DS record)

• DNSKEY records: store public keys that can verify all RRSIGs in the zone

  

  • Flag 256 = public ZSK
  • Flag 257 = public KSK

• ‼️ ZSK and KSK are NOT the same!!

  • ZSK used to generate and verify all RRSIGs in the zone except the RRSIG for DNSKEY
  • KSK used to generate and verify the RRSIG of the DNSKEY record in the zone

Why two pairs of keys (ZSK and KSK) per zone?